From: David Wilemski <david@davidwilemski.com>
Date: Sat, 17 Dec 2011 19:45:59 +0000 (-0500)
Subject: Fix for bug #392
X-Git-Tag: v2.2.0~53^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0635284834f18601e868c96244bc61702eade310;p=thirdparty%2Ftornado.git

Fix for bug #392

Validates the remote_ip from xheaders using socket.inet_pton
---

diff --git a/tornado/httpserver.py b/tornado/httpserver.py
index 74f1a8acf..13580159b 100644
--- a/tornado/httpserver.py
+++ b/tornado/httpserver.py
@@ -362,6 +362,8 @@ class HTTPRequest(object):
             # Squid uses X-Forwarded-For, others use X-Real-Ip
             self.remote_ip = self.headers.get(
                 "X-Real-Ip", self.headers.get("X-Forwarded-For", remote_ip))
+            if not self.__valid_ip(self.remote_ip):
+                self.remote_ip = remote_ip
             # AWS uses X-Forwarded-Proto
             self.protocol = self.headers.get(
                 "X-Scheme", self.headers.get("X-Forwarded-Proto", protocol))
@@ -457,3 +459,14 @@ class HTTPRequest(object):
         args = ", ".join(["%s=%r" % (n, getattr(self, n)) for n in attrs])
         return "%s(%s, headers=%s)" % (
             self.__class__.__name__, args, dict(self.headers))
+
+    def __valid_ip(self, ip):
+        try:
+            address = socket.inet_pton(socket.AF_INET, ip)
+        except socket.error:
+            try:
+                address = socket.inet_pton(socket.AF_INET6, ip)
+            except socket.error:
+                return False
+
+        return True